The present invention relates generally to a cryptographic communication method and a system for carrying out the same in which a host computer and a given one of user terminals can mutually perform a cryptographic communication by way of a communication network. More particularly, the present invention is concerned with a cryptographic communication method and a system therefor in which a data key used for encryption (ciphering) or decryption (deciphering) can be designated by either one of the host computer and a given one of the user terminals.
With progress in the information processing and communication techniques, it is expected that the information processing system promises great benefits to the human being. In this connection, it goes without saying that the information processing system must necessarily be provided with sufficient and satisfactory measures in respect to the security protection for the content of data, messages and other information to be processed.
The heart of the information processing system is constituted by a main frame computer, from which a network are being developed and expanded on a world-wide scale while overcoming the geographical and temporal constraints. From the view point of the security measures, it is of great significance to impart a function or capability of cryptographic communication (crypto-communication) to such main frame computer.
As the prior art technique for imparting the cryptographic communication function to the main frame computer, it has already been proposed a system in which a cryptographic apparatus is externally connected to the main frame computer.
FIG. 9 of the accompanying drawings is a diagram for illustrating a typical one of such systems known heretofore.
Referring to the figure, a host system 1008 is arranged to communication with any given one of terminals 1001, 1002, . . . , 1005 by way of a communication network 1007. It is assumed that a cryptographic key KMT1(1002) is stored or held previously in the terminal 1001. On the other hand, there is also stored in a storage unit 1016 incorporated in the host system 1008 a cryptographic key in an encrypted (ciphered) form of (E.sub.KM1 (KMT1) 1017).
Let's represent by a symbol E.sub.x (Y) an encrypted message generated through a common key cryptographic processing of data (Y) by using a key (x). With the phrase "common key cryptographic processing", it is intended to mean such a cryptographic processing in which one and same common cryptographic key (x in this case) is employed for both the encryption (which may be expressed, for example, in the form of a function "E.sub.x (ordinary message)") and decryption (which may be expressed, for example, in the form of a function "D.sub.x (encrypted message)").
Of course, the common cryptographic key may be set up between the host system 1008 and the terminals 1003, . . . , 1005, respectively, through similar processings.
In the host system 1008, a host main unit (corresponding to the main frame computer) 1009 reads out from the storage unit 1015 the encrypted cryptographic key (E.sub.KM1 (KMT1) 1017) and places it in a memory 1020 incorporated in the host main unit itself. Subsequently, the host main unit 1009 supplies as input data to a cryptograph machine or unit 1013 the encrypted cryptographic key E.sub.KM1 (KMT1) together with a random number R1012 generated at random (which will ultimately have a relation given by R=E.sub.KM0 (KS) to a data KS, as Will be described hereinafter), whereon a numerical value E.sub.KMT1 (KS) given as the Output data from the cryptograph unit 1013 is held in a memory 1010. For generating the numerical key value E.sub.KMT1 (KS), the cryptograph unit 1013 performs the undermentioned processings by using the input data E.sub.KM1 (KMT1) 1020, the random number R1012 and master keys KM0 (denoted by 1014) and KM1 (1015). They are:
______________________________________ Input: IN1 .rarw. E.sub.KM1 (KMT1) IN2 .rarw. R Computation: KMT1 .rarw. D.sub.KM1 (IN1) KS .rarw. D.sub.KM0 (IN2) WORK .rarw. E.sub.KMT1 (KS) Output: OUT .rarw. WORK ______________________________________
Parenthetically, concerning the abovementioned processings, reference may be made to a publicly circulated literature mentioned hereinafter, p. 252, "RFMK Operation". By virtue of the above processing, the host main unit 1009 can generate an encrypted message or statement E.sub.KMT1 (S) 1010 which is capable of being decrypted or deciphered by using the cryptographic key KMT 1 (1002) held in the terminal 1001. The encrypted message E.sub.KMT1 (KS) 1001 is then transmitted to the terminal 1001 via the communication network 1007.
When the terminal 1001 and the host system 1008 perform mutually the cryptographic communication, encryption of data to be transmitted and decryption of the data received are carried out with the aid of the cryptographic key (KS) generated from a random number.
Now, let's assume that an attempt is made for wire-tapping data which is being transmitted over the communication network. In that case, however, it is only the terminal 1001 and the host system 1008 that can decrypt the cryptographic key used for the generation of the encrypted key data E.sub.KMT1 (KS). The terminals 1003 to 1005 can not decrypt this data because the key KMT1 is not available for them. Accordingly, there is no possibility that the encrypted message might be decrypted with the contents thereof being clarified by the users of the terminals 1003, ..., 1005 and the wiretapper 1021 which is attacking the communication network 1007.
The prior art technique mentioned above is discussed in detail in Carl H. Meyer and Stephen M. Matys' "ANGOU", Shizensha Co., February 1987, pp. 195-B357, Japanese Edition (Original: "CRYPTOGRAPHY: A NEW DIMENSION IN COMPUTE DATA SECURITY" 1982, by John Wiley and Sons. Inc. New York).
In addition to the common key cryptographic processing in which a same common cryptographic key is used for both the encryption and the decryption, as described above, there is also known a system in which the cryptographic communication is performed by using a pair of different keys referred to as a public key and a private key, respectively, for the encryption and the decryption.
FIG. 10 of the accompanying drawings shows a general arrangement of a system in which a cryptographic communication is realized by a combination of a common key cryptographic processing and a public key cryptographic processing.
Referring to the figure, a first communication apparatus 1100 is connected to a second communication apparatus 1200 via a communication network (illustration of which is omitted). For setting up a data key, random data key (K) is first generated in the communication apparatus 1100, whereon the data key (K) is encrypted through the public key cryptographic processing performed by using a public key (P) in a public key cryptographic processing part 1101. The encrypted data key may be expressed in the form of PSAp (K).
Subsequently, the encrypted data key PSAp(K) is transmitted to the second communication apparatus 1200 also referred to as the destination apparatus. In the destination communication apparatus 1200, the public key cryptographic processing is performed on the received cryptographic data PSAp(K) by using a private key (S) to thereby obtain the data key (K) by decryption. Thereafter, encryption of the data to be transmitted or decryption of the received data is performed in encryption/decryption processing parts 1102 and 1202 of the communication apparatuses through a common key cryptographic processing in which the data key (K) is used as the common key.
A typical one of the systems for the cryptographic communication based on the combination of the common key cryptographic processing and the public key cryptographic processing is disclosed in Deffie et al's "New Directions in Cryptography": IEEE, Transactions on Information Theory, Vol. IT22, No. 6, November 1976.
In practical applications, the main frame computer (also referred to as the host) described above is, by nature, utilized by a great number or users. Under the circumstances, it is vitally important to prevent positively such unwanted situation in which a third party having the right to make access to the host wire taps data from the communication network and decipher or decrypt the data with the aid or the host. Besides, in addition to the security protection of data against the decryption by a third party, it is also important that the data key (KS) for allowing the cryptographic communication to be executed can be designated not only by the host but also any terminal which demands the cryptographic communication.
Parenthetically, in conjunction with the protection against the unauthorized decryption by a third party, possibility of such description is discussed in Meyer et al "ANGOU" cited previously.
More specifically, let's assume that a user A generates the data E.sub.KMT1 (KS) 1010 and sends it to the terminal 1001, as a result of which the data cryptographic key KS is shared between the user A and the terminal 1001 In that case, it is further assumed that another user B having the right to access the cryptograph unit 1013 and the storage unit 1016 taps and records the key data E.sub.KMT1 (KS) 1010 and an encrypted message E.sub.KS (data) from a communication network 1007 with a malicious intention to decrypt or decipher the encrypted message. To this end, the user B who wants to obtain the data "data" by deciphering the encrypted message will have to read out the key data E.sub.KM1 (KMT1) from the storage unit 1016 and perform the following processings.
______________________________________ Input: IN1 .rarw. E.sub.KM1 (KMT1) IN2 .rarw. E.sub.KMT1 (KS) Computation: KMT1 .rarw. D.sub.KM1 (IN1) KS .rarw. D.sub.KMT1 (IN2) WORK .rarw. E.sub.KM0 (KS) Output: OUT .rarw. WORK ______________________________________
(Refer to Meyer et al, pp. 265-266, "RETKEY Macroinstruction.")
When the user B can obtain the data "OUT=E.sub.KM0 (KS), he or she can decipher the encrypted message K.sub.KS (data) by performing the following processings:
______________________________________ Input: IN1 .rarw. E.sub.KM0 (KS) IN2 .rarw. E.sub.KS (data) Computation: KS .rarw. D.sub.KM0 (IN1) data .rarw. D.sub.KS (IN2) Output: OUT .rarw. data ______________________________________
(see Mayer et al, p. 250, "Data Decrypting Operation DCPH.)
Of course, Meyer et al have proposed the measures for inhibiting the data decryption by a third party. More specifically, in the course of computation of the RETKEY macro-instruction, decryption by using a master key KM1 and encryption by using a master key KM0 are inhibited (refer to Meyer et al, pp. 266-269). However, when such inhibition rule is set up, the designation of the data key from the terminal which is the second important subject matter under consideration, as described hereinbefore, is then rendered impossible.
By way of example, it is assumed that the terminal 1001 desires to share a data key KS' by designating and sending E.sub.KMT1 (KS') to a host. In that case, in order to obtain the data key KS', the host will have to perform the processing mentioned below: EQU E.sub.KMT1 (KS').fwdarw.E.sub.KMT0 (KS')
It is however apparent that this processing can not be executed because of the inhibition rule described above.
In the system disclosed in Deffie et al "New Directions in Cryptography", data decryption or deciphering by a third party is impossible so far as the private key (S) for deciphering the data key (K) remains unknown. However, it is undesirable from the viewpoint of security that the user inputs such important private key every time he or she uses a data terminal.
In particular, in the case of a host which is used by many and unspecified persons and in which the users are forced lo input respective private keys through keyboards or the like input equipment for deciphering encrypted messages or statement, there may arise such possibility that a malicious third party acquires surreptitiously by glancing at the data being inputted through the keyboard. Further, dumped data held internally of the host for a predetermined period for use by a maintenance engineer may be leaked to a third party for some reason. In either case, the user's private keys are made available intact to the third party.
When the user's private keys are recorded in a memory incorporated in cryptograhic equipment which is designed to be externally connected to the main frame computer, leakage of the private keys to the third party can not occur. However, it is undesirable for a system manager or owner that the user's private keys which must be rewritten instantly in response to increase or decrease in the number of system subscribers are left to the management of a manufacturer of the cryptograph machine Thus, it is an important problem to be solved in what manner the user's private keys should be recorded in the memory incorporated in the host main unit externally of the cryptograph machine without incurring any risk of leakage to any third party.